mirror of
https://github.com/goharbor/harbor.git
synced 2025-01-02 05:59:18 +01:00
Merge pull request #5221 from stonezdj/admin_with_ldap_group
Add settings to define admin with ldap_group_admin_dn
This commit is contained in:
commit
d65a7baf7e
@ -3494,6 +3494,9 @@ definitions:
|
||||
ldap_group_search_scope:
|
||||
type: integer
|
||||
description: The scope to search ldap. '0-LDAP_SCOPE_BASE, 1-LDAP_SCOPE_ONELEVEL, 2-LDAP_SCOPE_SUBTREE'
|
||||
ldap_group_admin_dn:
|
||||
type: string
|
||||
description: Specify the ldap group which have the same privilege with Harbor admin.
|
||||
project_creation_restriction:
|
||||
type: string
|
||||
description: >-
|
||||
|
@ -61,3 +61,4 @@ REGISTRY_STORAGE_PROVIDER_NAME=$storage_provider_name
|
||||
READ_ONLY=false
|
||||
SKIP_RELOAD_ENV_PATTERN=$skip_reload_env_pattern
|
||||
RELOAD_KEY=$reload_key
|
||||
LDAP_GROUP_ADMIN_DN=$ldap_group_admin_dn
|
@ -344,6 +344,8 @@ else:
|
||||
#Use reload_key to avoid reload config after restart harbor
|
||||
reload_key = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(6)) if reload_config == "true" else ""
|
||||
|
||||
ldap_group_admin_dn = rcp.get("configuration", "ldap_group_admin_dn") if rcp.has_option("configuration", "ldap_group_admin_dn") else ""
|
||||
|
||||
render(os.path.join(templates_dir, "adminserver", "env"),
|
||||
adminserver_conf_env,
|
||||
reload_config=reload_config,
|
||||
@ -364,6 +366,7 @@ render(os.path.join(templates_dir, "adminserver", "env"),
|
||||
ldap_group_filter=ldap_group_filter,
|
||||
ldap_group_gid=ldap_group_gid,
|
||||
ldap_group_scope=ldap_group_scope,
|
||||
ldap_group_admin_dn=ldap_group_admin_dn,
|
||||
db_password=db_password,
|
||||
db_host=db_host,
|
||||
db_user=db_user,
|
||||
|
@ -163,7 +163,8 @@ var (
|
||||
env: "READ_ONLY",
|
||||
parse: parseStringToBool,
|
||||
},
|
||||
common.ReloadKey: "RELOAD_KEY",
|
||||
common.ReloadKey: "RELOAD_KEY",
|
||||
common.LdapGroupAdminDn: "LDAP_GROUP_ADMIN_DN",
|
||||
}
|
||||
|
||||
// configurations need read from environment variables
|
||||
|
@ -108,4 +108,5 @@ const (
|
||||
DefaultNotaryEndpoint = "http://notary-server:4443"
|
||||
LdapGroupType = 1
|
||||
ReloadKey = "reload_key"
|
||||
LdapGroupAdminDn = "ldap_group_admin_dn"
|
||||
)
|
||||
|
@ -33,6 +33,7 @@ type LdapGroupConf struct {
|
||||
LdapGroupFilter string `json:"ldap_group_filter,omitempty"`
|
||||
LdapGroupNameAttribute string `json:"ldap_group_name_attribute,omitempty"`
|
||||
LdapGroupSearchScope int `json:"ldap_group_search_scope"`
|
||||
LdapGroupAdminDN string `json:"ldap_group_admin_dn,omitempty"`
|
||||
}
|
||||
|
||||
// LdapUser ...
|
||||
|
@ -27,6 +27,7 @@ import (
|
||||
ldapUtils "github.com/vmware/harbor/src/common/utils/ldap"
|
||||
"github.com/vmware/harbor/src/common/utils/log"
|
||||
"github.com/vmware/harbor/src/ui/auth"
|
||||
"github.com/vmware/harbor/src/ui/config"
|
||||
)
|
||||
|
||||
// Auth implements AuthenticateHelper interface to authenticate against LDAP
|
||||
@ -84,8 +85,17 @@ func (l *Auth) Authenticate(m models.AuthModel) (*models.User, error) {
|
||||
return nil, auth.NewErrAuth(err.Error())
|
||||
}
|
||||
|
||||
//Retrieve ldap related info in login to avoid too many traffic with LDAP server.
|
||||
//Get group admin dn
|
||||
groupCfg, err := config.LDAPGroupConf()
|
||||
groupAdminDN := strings.TrimSpace(groupCfg.LdapGroupAdminDN)
|
||||
//Attach user group
|
||||
for _, groupDN := range ldapUsers[0].GroupDNList {
|
||||
|
||||
if len(groupAdminDN) > 0 && groupAdminDN == groupDN {
|
||||
u.HasAdminRole = true
|
||||
}
|
||||
|
||||
userGroupQuery := models.UserGroup{
|
||||
GroupType: 1,
|
||||
LdapGroupDN: groupDN,
|
||||
@ -210,7 +220,8 @@ func (l *Auth) PostAuthenticate(u *models.User) error {
|
||||
return nil
|
||||
}
|
||||
u.UserID = dbUser.UserID
|
||||
u.HasAdminRole = dbUser.HasAdminRole
|
||||
//If user has admin role already, do not overwrite by user info in DB.
|
||||
u.HasAdminRole = u.HasAdminRole || dbUser.HasAdminRole
|
||||
|
||||
if dbUser.Email != u.Email {
|
||||
Re := regexp.MustCompile(`^[a-z0-9._%+\-]+@[a-z0-9.\-]+\.[a-z]{2,4}$`)
|
||||
|
@ -69,6 +69,7 @@ var adminServerLdapTestConfig = map[string]interface{}{
|
||||
common.LDAPGroupBaseDN: "dc=example,dc=com",
|
||||
common.LDAPGroupAttributeName: "cn",
|
||||
common.LDAPGroupSearchScope: 2,
|
||||
common.LdapGroupAdminDn: "cn=harbor_users,ou=groups,dc=example,dc=com",
|
||||
}
|
||||
|
||||
func TestMain(m *testing.M) {
|
||||
@ -181,6 +182,38 @@ func TestSearchUser(t *testing.T) {
|
||||
t.Errorf("Search user failed %v", user)
|
||||
}
|
||||
}
|
||||
func TestAuthenticateWithAdmin(t *testing.T) {
|
||||
var person models.AuthModel
|
||||
var authHelper *Auth
|
||||
person.Principal = "mike"
|
||||
person.Password = "zhu88jie"
|
||||
user, err := authHelper.Authenticate(person)
|
||||
if err != nil {
|
||||
t.Errorf("unexpected ldap authenticate fail: %v", err)
|
||||
}
|
||||
if user.Username != "mike" {
|
||||
t.Errorf("unexpected ldap user authenticate fail: %s = %s", "user.Username", user.Username)
|
||||
}
|
||||
if !user.HasAdminRole {
|
||||
t.Errorf("ldap user mike should have admin role!")
|
||||
}
|
||||
}
|
||||
func TestAuthenticateWithoutAdmin(t *testing.T) {
|
||||
var person models.AuthModel
|
||||
var authHelper *Auth
|
||||
person.Principal = "user001"
|
||||
person.Password = "zhu88jie"
|
||||
user, err := authHelper.Authenticate(person)
|
||||
if err != nil {
|
||||
t.Errorf("unexpected ldap authenticate fail: %v", err)
|
||||
}
|
||||
if user.Username != "user001" {
|
||||
t.Errorf("unexpected ldap user authenticate fail: %s = %s", "user.Username", user.Username)
|
||||
}
|
||||
if user.HasAdminRole {
|
||||
t.Errorf("ldap user user001 should not have admin role!")
|
||||
}
|
||||
}
|
||||
func TestSearchUser_02(t *testing.T) {
|
||||
var username = "nonexist"
|
||||
var auth *Auth
|
||||
|
@ -249,6 +249,9 @@ func LDAPGroupConf() (*models.LdapGroupConf, error) {
|
||||
ldapGroupConf.LdapGroupSearchScope = int(scopeFloat)
|
||||
}
|
||||
}
|
||||
if _, ok := cfg[common.LdapGroupAdminDn]; ok {
|
||||
ldapGroupConf.LdapGroupAdminDN = cfg[common.LdapGroupAdminDn].(string)
|
||||
}
|
||||
return ldapGroupConf, nil
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user